DIVISION POLYNOMIALS FOR TWISTED EDWARDS CURVES 
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Abstract. This paper presents division polynomials for twisted Edwards curves. Their 
chief property is that they characterise the n-torsion points of a given twisted Edwards 
curve. We also present results concerning the coefflcients of these polynomials, which may 
aid computation. 



1. Introduction 

Edwards [1] introduced an addition law on the curves + = c^(l + x^y^) for c € k, 
where /c is a field of characteristic not equal to 2. He showed that every elliptic curve over 
k is birationally equivalent (over some extension of k) to a curve of this form. 

In [2], Bernstein and Lange generalised this addition law to the curves + = 1 + dx^y^ 
for d k \ {0, 1}. More generally, they consider + = + dx'^y'^), however, any 
such curve is isomorphic to one of the form + = 1 + d'x'^y'^ for some d' S k, so we 
will assume c = 1. These curves are referred to as Edwards curves. Bernstein and Lange 
showed that if k is finite, a large class of elliptic curves over k (all those which have a point 
of order 4) can be represented in Edwards form. 

In [3], Bernstein et al. introduced the twisted Edwards curves ax^ + y^ = l + dx^y^ (where 
a, d £ k are distinct and non-zero) and showed that every elliptic curve with a represen- 
tation in Montgomery form is birationally equivalent to a twisted Edwards curve. 

In this paper we describe a sequence of rational functions, and consequently a sequence of 
polynomials, defined on the function field of a twisted Edwards curve which are analogous 
to the division polynomials for elliptic curves in Weierstrass form. In particular, these 
polynomials characterise the n-torsion points of the twisted Edwards curve for a positive 
integer n (see Corollary 5.2 and Corollary 6.2). These twisted Edwards division polynomials 
are polynomials in y with coefficients in Z[a, d], and have degree in y less than n^/2. 

In Theorem 4.1 we prove a uniqueness form for elements of the function field of an Edwards 
curve, analagous to the known result that elements of the function field of a Weierstrass 
curve can be written uniquely in the form p{x)-\-yq{x). Our division polynomials (actually 
rational functions) are presented in this unique form. 
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Furthermore, we show in Section 7 that the coefficients of a given twisted Edwards division 
polynomial exhibit a certain symmetry, which may reduce the amount of computation 
necessary for finding that polynomial. 



2. Division polynomials for Weierstrass Curves 
We recall the division polynomials for Weierstrass curves here. 

First we recall the definition of the function field of an (affine) algebraic variety. If V/k 
is a variety in affine n-space, liV) denotes the ideal generated by the polynomials in 
k[xi, . . . , Xn] that vanish on V . The affine coordinate ring of V is the integral domain 



i{v) ■ 

The function field of V over k, denoted by k{V), is defined to be the quotient field of 
k[V]. 

For example, if W is an elliptic curve with Weierstrass equation v"^ = + Au + -B, the 
function field of W , k{W), is the quotient field of k[u, v]/ {v^ — — Au — B). 

We use (li, v) as the coordinates for a curve in Weierstrass form and reserve (x, y) for 
(twisted) Edwards curves. 

If char{k) 7^ 2 or 3, given an elliptic curve over k in short Weierstrass form 

W : = + Au + B 

with identity O , the division polynomials are polynomials defined on the function field 
of W for each n S N by the following recursion: 

^oiu,v) = 
^i{u,v) = 1 
^2{u,v) = 2v 

^3(n, v) = 3n^ + 6Au^ + UBu - A^ 

^4(n, v) = 4v{u^ + hAu" + 20Sm^ - hJ^u^ - 4ABu - A^ - 8B^) 

'^2m+l{u,v) = 'ilrn+2{u,v)'$l,{u,v) - rn-l{u, v)'$l,^i{u, v) for m > 2 

*2m(u,v) = ^} {'^m+2{u,v)^l^_^{u,v) -^r,i-2{u,v)^l^+^{u,v)) for ?n > 3. 

The \E'n are polynomials in u and v with coefficients in B]. The principal properties of 
the division polynomials are that ^niu, v) = precisely when (u, v) is an n-torsion point of 
W (i.e. [n](u, -y) = O), and that the multiplication-by-n map [n] : — > is characterised 
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by the division polynomials as 



[n]{u,v) 



(see e.g. [4], Chapters 3 , 9, [5], Chapter 3). If n is odd then € Z[u,A,B], and has 
degree [n? — l)/2 in u. If n is even then € v1i[u, A, B] with degree — 4)/2 in u. We 
prove analagous results for twisted Edwards curves. 

3. Twisted Edwards Curves 

Let k he a field with characteristic 7^ 2 or 3. Let K be an extension field of k. Let E[K) 
be the twisted Edwards curve over K with coefficients a and d, where a and d are distinct 
and non-zero: 

E{K) : ax^ + y'^ = 1 + dx^y'^. 
Points on E{K) may be added by the rule 

xiyi + X2yi j/ij/2 - axiX2 \ 
1 + dxiX2yiy2 ' 1 - dxiX2yiy2 J 
and under this operation, the points on E{K) form an abelian group. The identity is 
(0, 1), and the additive inverse of a point (x, y) is (— y). The projective closure of E has 
singularities at (1 : : 0) and (0:1:0). 

The twisted Edwards curve E{K) is birationally equivalent to the Weierstrass-form elliptic 
curve 

,,,,,,, 2 3 (a^ + Uad + d'^) (a?-32,a^d-32,ad^ + d^) 

WiK) ■.v=u'^- -u - - 

^ ' 48 864 

under the transformation 

._ (5a -d) + {a- 5d)y (a-d){l+y) _ ^ , 

12(1 -y) ' " 4rE(l-y) ^ ^ ^' 

otherwise 

{x,y) = (0,1) ^{u,v) = 
{x,y) = {0,-l)^iu,v) = (^,0 
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The inverse transformation is given by 



, y = if f (12u + a — 5a) 7^ 



6v 12u + a — 5d 

and 



iu,v) = 0^{x,y) = (0,1) 
{u,v) = (^,0\ ^ {x,y) = {0,-1). 
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There are 4 points on W{k) that are not mapped to any point on the twisted Edwards 
curve. These are {u,v) = ±^^^^^^ and {u,v) = ^ "^""^^^^^^ 0^ where s,t G k 

such that = d,t^ = ad. We note that ^ "^"^^^^^^ O^ are points of order 2 on W, and 

^^^d^ ^^s(d-a)\^ are points of order 4 on W. Had we defined the birational equivalence 

between the projective closures of W and i?, the points (5(i — a : ±3s{d — a) : 12) would 
map to the singular point (0:1:0) of E, while the points (—(a + d) ±6t : : 12) would map 
to the singular point (1:0:0) of E. 

4. Function Field of a Twisted Edwards Curve 

For Weierstrass curves v"^ = + Au + i? it is well known (see [5] for example) that an 
element of the function field can be written uniquely in the form 

p{u) + vq{u) 

where p{u),q{u) are polynomials in u. 

We prove an analogous result for twisted Edwards curves E. Not surprisingly, rational 
functions are needed in place of the polynomials. We use the notation ordp(/) to denote 
the valuation of a function / G K{E) at a point P. 

Theorem 4.1. Any function g € K(E) can be written uniquely as 

g{x,y) =p{y) + xq{y) 
where p{y), q{y) are rational functions in y. 

Proof: Let /(x, y) = be the equation defining E, where 

/(x, y) = ax^ + y'^ - I - dx^y"^. 

In K{E) we have 



l-y2 



a — dy"^ 

It is then clear that g can be written in the stated form. 

Suppose this expression for g is not unique. Then A{y) + xB{y) = for some nonzero 
rational functions A{y)., B{y). So 

x = -^ 
B{y) 

which implies 

(1) ord(o,i)X = ord(o,i)^(y) - ord(o,i)-B(y). 

We obtain our contradiction by showing that the right-hand side of equation (1) is even, 
but the left-hand side is equal to 1. 
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First we need ord(o,i)(y — 1)) so we compute 

fix, ?/ + 1) = ax^ + (y + 1)2 _ 1 - dx'^iy + 1)2 

= ax^ + + 2y — dx^y"^ — 2dx'^y — dx^ . 

Then 

/(x,0+ 1) = (a - d)x^ 
which implies ord(Q — 1) = 2 since x is a local uniformizer. 

To find ord(o,i)2;j we use the fact that (again translating to the origin) 

x\a-d{y+lf)=y{-y-2). 

Note that ord(o,o)(a — ^^(y + l)^) = because y^ = ajd in the (usual) curve equation implies 
a = d, which is not allowed. Thus (after translation) 

ord(o,o)(a;^) = ord(o,o)2/ 
which implies (before translation) ord(o,i)2; = 1. 

When computing ord(o,i)^(y)) we write A{y + 1) = for some polynomials a(y), b{y). 
Then 

ord(o,i)^(y) = ord(o,o)a(2/) - ord(o,o)^(y)- 

Let riQ be the degree of the term of smallest degree in a(y), and similarly let thq be the 
degree of the term of smallest degree in b{y). Then ord(o,o)o(y) = (ord(o,o)2/) = 2no, and 
similarly, ord(o,o)&(2/) = 2mQ. Thus ord(o,i)^(y) = 2(?io — "^o); which is even. 

Similarly, ord(o,i)-S(y) is even. This proves that the right-hand side of (1) is even, and we 
are done. □ 

Corollary 4.2. Any function g G K{E) can be written uniquely as 

g{x,y) =p'{y) + -q'{y) 
x 

where p'{y), q'{y) are rational functions in y. 

Proof: This follows from the Theorem 4.1, and the fact that 

1 1-^2 
X = — 



X a — dy^ 

on the function field of E. In fact p'{y) is equal to p{y), using the notation of Theorem 
4.1, and 

a — dy^ 

□ 
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5. Division Polynomials on Twisted Edwards Curves 



We define the following rational functions ipnix,y) on the function field of E recursively 
for n > 0: 



i^i{x,y) := 1 



'>p3{x,y) 
i^4{x,y) 



{a-d){l + y) 

x{2{l-y)) 
(a - df{a + 2ay - 2dy^ - dy"^) 

(2(1 -y))^ 
2{a-dfy{l + y){a-dy^) 



xmi-y)y 

'4)2m+i{x,y) ■.= i^m+2{x,y)il;'f^{x,y) - lprn-l{x,y)^pl,,+l{x,y) for m > 2 

ip2m{x,y) := ^'^I'^'^j^ {i^ni+2{x,y)i^l,_i{x,y) - i{jm-2{x,y)'ipl^^^{x,y)) for m > 3. 

These functions are not defined at the points (0, 1) and (0,-1). We point out that these 
elements of the function field K{E) are in the unique form given in Corollary 4.2. 

For n > 1, we also define 



,( N ._ (1 +2/)^n(2;,y) 'iipn-iix,y)tpn+iix,y) 

Yn\X, y) ■— 



and tOn{x,y) : = 



(1 -y) (a - d) 

'^Tp2n{x,y) 



(a - d)'il)n{x,y)' 

Next we show that these rational functions arise in the multiplication- by-n map. 
Theorem 5.1. Let (x, y) be a point in E{k) \ {(0, 1), (0, —1)} and n > 1 an integer. Then 
r 1. X f <t>n{x,y)iJn{x,y) (t)n{x,y) - i^lix^yy 



ujn{x,y) ' (j)n{x,y) +Tpl{x,y)J ' 

Proof: Compute the division polynomials for the given Weierstrass elliptic curve, W : 
v?' + Au + -B, where 

(a^ + 14ad + d^) (a^ - 33a^d - 33ad^ + d^) 

48 ' 864 
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We get 





v) 


= 






v) 


= 1 






v) 


= 2v 






v) 


= 3u^ + 6Au'^ + UBu - 






v) 


= 47;(n^ + S^ii^ + 20Bu^ - hJ^v? - 4ABu - 






v) 


= ^rn+2{u,v)^'i,{u,v) - ^ m-l{u, v)^'i,+^{u. 


, v) for m >2 




v) 







for m > 3. 



Substituting 

(a^ + Uad + (a^ - SSa^d - 33a(P + d^) 

— : , ij — : cinCL 

48 864 

{5a - d) + {a - 5d)y {a-d){l + y) 

u := : ^ , V := ; — , 

12(1 -y) 4x(l-y) 

for the cases 0,1,2,3,4 we see that ^i{u,v) = 'tpi{x,y) for i = 0,1,2,3,4. Hence, as the 
recursion relations for the two sets of functions ^i{u, v) and ipi{x, y) are identical for i > 5, 
we have that ^'„(m, = tjjn{x,y) for all integers n > 0. 

From here on we will use the abbreviated notations V'n for ipni^, u), 4>n for 0n(x, y) and 
for LUnix,y). Let {xn,yn) = [n]{x,y), and (n„,t;„) = [n\w{u,v). 

From the properties of the division polynomials. 



Un = U 



i.e.. 



V'n-lV'n+l V': 



'2n 



and, applying the birational equivalence gives 

6n„ — {a + d) 12ti„ + d — 5a 

6vn 12ii„ + a — 5a 
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f 5a — d + {a — 5d)y Vn-iV'- 



n+l 



a + 



^2n V 12(1 - y) 
i^l na-d){l + y)ijl 
tP2n V 2(1 - y) 



lljjn-llpn+l 



4>nll^n _ (a - d)'^' 



1 + y 
1 



2V'2n V V i - y 
na-d){l + y)i^l 
V^2n V 2(1 - y) 



a — d 



Xn. • 



Vn 



12u„ + d — 5a 
12n.„ + a — bd 



TO , ^ c: 5a-d+{a-hd)y ipn-i^n+i , , ^ 
12un + d — ba = ^ 12 h a — 5a 



(1-y) 

6(a-(i)y ^^^ipn-iil^n+i 



\2un + a — bd 



1-y 

6(a - d) 
1-2/ 



12 



V'n-l^n+l 



(a - d)y'4)l - 2(1 - y)i)n-ii'n+i 
(a - (i)V'^ - 2(1 - y)V'n-iV'n+i 



(An - V'n 
(An + V'n 



4lpn-li>n + l 



l+y \ ^2 

i-y I 



a—d 



{a - d)y^l - 2(1 - y)^n-ii^n+i 
(a - d)ipl - 2(1 - y)'ipn-iipn+i 

Vn- 



[n]{x,y) 



4>nix,y)^n{x,y) <l)n{x,y) - ifi{x,yy 
iVn{x,y) ' <j)n{x,y) +'4)l{x,y) ^ 
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Corollary 5.2. Let P = {x, y) be in E{k) \ {(0, 1), (0, -1)} and letn>l. Then P is an 
n-torsion point of E if and only if ipniP) = 0. 

Proof: Since the identity is (0, 1), the result is clear from Theorem 5.1. □ 

So the ipnixjy), though they are rational functions, can be seen as analogues of division 
polynomials. Here are the first seven ijjnix^y): 



^^0 = 
01 = 1 



■02 
03 
0'4 
■05 
^6 



{a-d){y + l) 

x{2{l-y)) 
[a - dfi-dy"^ - 2dy^ + 2ay + a) 

2(a - df{-2dy^ - 2dy^ + 2ay'^ + 2ay) 

xmi-y)y 

(g - dfjd-^y^^ + Sd^j/" + 5a^y - a^) 

(a - _ J4yl6 ^ (4^^3 ^ 4^4)yl5 + . . . + (4^3^ ^ 4^4)^2 _ ^4^ _ ^4) 

x((2(l-y))i7 ■ 



As we said earlier, these elements of the function field K{E) are in the unique form given 
in Corollary 4.2. 

The apparent patterns here are proved in the next theorem. 

6. Division Polynomials 

The next theorem isolates the key polynomial in the numerator of 0„, which we call 
ip{y). These polynomials could also be called the division polynomials for twisted Edwards 
curves. 

Theorem 6.1. We have 

{a - d)'=W0„(y)/(2(l - ifn is odd 



il^n{x,y) = 

where 

m{n) 



(a - ci)'=(")'0n(y)/rE(2(l - ifn is even 

"■ 2^ if n is odd 
—2 — if n IS even 



10 



RICHARD MOLONEY AND LAURA HITT AND GARY MCGUIRE 



and 



and 



k{n) 



3n^ 



My) = 
My) = 1 
My) = y + 1 

My) = -dy^ - 2dy^ + 2ay + a 

My) = -My + ^){dy^ -a) = -'^dy'^ - '^dy'^ + 2ay2 + 2ay, 



and 



M+iiy) = ' 



A{a-d){a-dy^)^i>r+2{y)i>Uy) 



M2{v)i>Ky) 



V'r-i(y)V'r+i(y) ifr = (mod 4), r 

4{a-dy^)^r-i{y)i'r+l(y) 



> 4 

if r = 1 (mod 4), r > 5 



A{a-dy'^fxl)r+2{y)ipr (y) 



V'r-i(y)^r+i(y) ifr = 2 (mod4), r>2 



'iprMy)i>fiy) 



4{a -d){a-dy^)^^r-i{y)i'f+^{y) 



and 



M{y) 



|M {^M2{y)i^lMy) - M2{y)^lMy) 
|M ((a - d)M2{y)i'fMy) - M2{y)i^lMy) 



^ [M2{y)i^U{y) - M2{y)i^lMy) 



^ [M2{y)i^U{y) - (« - d)M2{y)i^lMy) 



^r+l( 
^-.l( 



if r = 3 (mod 4) , r > 3 

if r = (mod 4) , r > 4 

if r = 1 (mod 4), r > 5 

if r = 2 (mod 4), r > 6 

if r = 3 (mod 4), r > 3. 



Proo/; 

First observe for all t € Z, t > 0, 

16^2 - 2 



m(4t) 
m(4i ± 1) 
m(4t ± 2) 
m(4t ± 3) 



8r - 1 



{At ±1)2-1 16*2 ± 8t 



8*2 ± 4t 



(4t±2)^-2^16t^±16t + 2^ 
2 2 

(4t ±3)2-1 16*2 ± 24t ± 8 , 
^ = = 8*2 ± 12t ± 4 
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and 



A:(4t) 
k{4t ± 1) 
k{4t ± 2) 
k{4t ± 3) 



3(4t)^ 



3(4t ± 1)2 



3(4t ± 2)2 



3(4t ± 3)2 



6r ± 3t + - 

, 12 
6*2 ±Qt + — 
8 

P 27 
6*2 ±9t + — 



6*2 ± 3* 



6*2 ± 6* + 1 



6*2 ± 9* + 3. 



The proof is by induction. The claim is true for n = . . . 4. 
Assume true for ... n — 1 

Case 1: n = (mod 8) i.e. n = 81 for some I G Z. Let r = Al. 
By definition, 



V'r 

V'n = (^/;r+2'i/'r-l - ^r-2V'r+l) 
-02 



(a - d)^^'-^-^Tpr 



• (a _ d)^^Cr+2)+2fc(r-l)^^^2^2_^ _ d)fc{r-2)+2fc(r+l)^^_2^2^^ ^ 



Also, 



(2/ + l)(2(l-2/))'»M-l I x(2(l - y))™(^'+2)+2m(r-l) 3,(2(1 - 2/))'^('^-2)+2"i(r+l) 



m(40 - 1 + m(4/ + 2) + 2m(4/ - 1) = 8/2 - 1 - 1 + 8/2 + 8/ + 1 + 16/2 - 8/ 

= 32/2 _ ^ ^ ^(^g^^) ^ ^(^^^ 

m(4/) - 1 + m(4/ - 2) + 2m(4/ + 1) = 8/2 - 1 - 1 + 8/2 - 8/ + 1 + 16/2 + 8/ 

= 32/2 _ ^ ^(^g^^) ^ ^(^^^ 



and 



k{Al) - 1 + A:(4/ + 2) + 2/c(4/ - 1) = 6/2 - 1 + 6/2 + 6/ + 1 + 12/2 _ 

= 24/2 ^ ^(g^) ^ ^(^j^) 

A;(4/) - 1 + A:(4/ - 2) + 2A;(4/ + 1) = 6/2 - 1 + 6/2 - 6/ + 1 + 12/2 _^ 

= 24/2 ^ ^(g^) ^ ^(j^^_ 
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So 

= x(, + l)(2(l-,))Mn) [^r (^.+2^1 - A-2i^hl)) 

x(2(l - 

Case 2: n = 1 (mod 8) i.e. n = 8/ + 1 for some Z € Z. Let r = 41. 
By definition 

V'n = 1pr+2lPr " V'r-lV'r+1 

_ (g _ ^)fc(r+2)+3fc(r)^^^^^3 (a _ d)fc(r~l)+3fc(r+l)^^_^^3^^ 

~ y4(2(l - x))'"(^+2)+3'»W (2(1 - y))'"('--l)+3m(r+l) ' 

Using the curve equation 

ax^ + = 1 + dx'^y'^ 

gives 

„2 



(l-y2) (l_y)(l+y) 



(a - dy^) (o - (iy2) 

4 



(l-y)2(l+y)2 



(a - 



2^2 



SO 

4(a - d)fe('-+2)+3fc{r) (a _ dy^)^r+2i^f (a - (i)^(^-l)+3Mr+l)^^_^^3 



; _ 'V" "/ -a I -rr^^-rr _ \" "/ t , - ^ t t-\-1 

~ _^ X)2(2(l - y))"^(^'+2)+3'»W+2 (2(1 - 



Again, 



and 



k{4:l + 2) + 3A;(40 = + 6/ + 1 + ISZ^ = 2Af + 6Z + 1 
= A;(n) + 1 

k{4.l - 1) + 3/c(4; + 1) = 6/2 - 3/ + 18/2 + 9/ = 24/^ + 6/ 
= /c(n) 



m(4/ + 2) + 3m(4/) + 2 = 8/^ + 8/ + 1 + 24/^ _ 3 + 2 = 32/^ + 8/ 

= ?7T,(n) 

m(4/ - 1) + 3m(4/ + 1) = 8/^ - 4/ + 24/^ + 12/ = 32/^ + 8/ 

= ?n(n). 
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Hence 

Cases 3,. . . 8: n = 2, . . . 7 (mod 8). Similar. □ 

Corollary 6.2. Let P = {x,y) be in E(k) \ {(0, 1)} and let n>l. Then 
P is an n-torsion point of E if and only if ipn{y) = 0. 

Proof: The result follows from Corollary 5.2 and Theorem 6.1. □ 



7. Further Facts 
Here are some more facts about the ip. 

Theorem 7.1. ipniu) S "^[o-jdjy] Vn > 0, and {y + 1) divides ipn{y) if n is even 

Proof: Proof is by induction. The statement is true for n = 0, 1, 2, 3, 4. Now suppose it is 
true for 0, 1, 2, . . . , n — 1: 

Case 1: n = (mod 8) i.e. n = 81 for some I G Z. Let r = 4L 

Then My) = ^ [i>r+2{y)i^^r-iiy) - V^.-2(y)V^.\i(y)) 

and^priy), Tpr+2{y), V'r-i(y), i'r-2{y), A-+i{y) G '^[a,d,y]. Also, (y+1) divides Vir(y), '>Pr+2iy), 
and tpr-2{y) by hypothesis. Hence tpniy) € Z[a,d,y] and {y + 1) divides tpniy)- 

Case 2: n = 1 (mod 8) i.e. n = 8/ + 1 for some / E Z. Let r = 41. 
Then My) = 4(a-^)(a-d,y^^^.^.fa)^3(^) _ ^^_^^y^^3^^^y^ 

and V'r+2(y), Tpriy), A-i{y), A+iiy) e 1[a,d,y]. Also, (y + l) divides Vir(y) and Tpr+2{y) 
by hypothesis. Hence ipn{y) £ Z[a,(i, y]. 

Cases 3,. . . 8: n = 2, . . . 7 (mod 8). Similar. □ 

Theorem 7.2 and Corollary 7.3 provide results for the degrees of these polynomials ipn{y), 
and Theorem 7.6 shows that the coefficients of the polynomials exhibit a large amount of 
symmetry. 
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Theorem 7.2. If char (k) = or 4 • char{k) | n, then ipniu) has leading term (term of 
largest degree in y) 

§^^^^7nin)-k{n)ym{n) if ^ ^ Q (mod 4) 



^(^)^m(n)-fc(n)ym(n)-l if ^ = Q (mod 4) 



where 



n 
2 


ifn 


= 


(mod 8 


) 


n 
2 


ifn 


= 4 


(mod 8 


) 


1 


ifn 


= 1, 


2, or 5 


(mod 


-1 


ifn 


= 3, 


6, or 7 


(mod 



5{n) 



and m{n), k[n) are as defined in Theorem 6.1. 

If char {k) ^ and 4 • char{k) \ n, then deg{tpn{y)) < rn{n) — 1 . 

Proof: Proof is by induction. The statement is true for n = 0, 1, 2, 3, 4. Now suppose it is 
true for 0, 1, 2, . . . , n — 1: 

Case 1: n = (mod 8) i.e. n = 81 for some / G Z. Let r = 4/. Then 



y + 



=((^(r)d'^W-'=W?/™W-2 + . . . )x 

[{5{r + 2){5{r - l))2^'m(r+2)+2m(r-l)-fc(r+2)-2fc{r-l)ym{r+2)+2m{r-l) _^ _ _ ) 
- (5(r - 2){5{r + l))2^rn(r-2)+2m{r+l)-fc{r-2)-2fc(r+l)^m(r-2)+2m(r+l) _^ , . . )] 

So, computing the m's and fc's as in previous proofs, and noting that 

6{r) = ±21, 6{r + 2) = ±1, 6{r - 1) = -1, 
5(r-2) = Tl, (5(r + !) = !, 

the leading term is thus 

±2W"'(")"''(")y"'('")~^(±y"'(''+^)+^'"(''"^) ± y'^(^-2)+2m.(r+l)-j 
= 'Hfrm(n)-k{n) m{n)-l 

2 ^ 

= 5(n)(i™(")~'^(")y"'(")~-^. 

The only exception being if char{k) ^ and char{k) \ r, (i.e. if char{k) \ n) in which case, 
deg{ipr{y)) < m{r) — 1 and deg{^niy)) < rn{n) — 1. 

Case 2: n = 1 (mod 8) i.e. n = 8/ + 1 for some / E Z. Let r = 4L 
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Then My) = 4(a-<^)(a-dg_)^^^^.+.fa)^3(^) _ ^^_^^y^^3^^^yy 

The degree (in y) of the first term above is m (r+2)+3(m(r)-l)+4-2 = 321^+81-3. 

The degree (in y) of the second term is m(r-l)+3m(r+l) = 32P+8l Thus 4(a-d)(a-dy^y^^^,_^^(^)^ 
does not contribute to the leading term which is 

-6{r - l){6{r + l))3^r"(r-l)+3m(r+l)-fc(r-l)-3fc{r+l)y32/2+8i_ 

Now, 

5{r - 1) = -1, 6{r + 1) = 1, 5(n) = 1 

k{r - 1) + 3k{r + 1) = 24f + 61 

m{n) = m{8l + 1) = 321^ + 81- (24/^ + 6/) = 8/^ + 21. 
So the leading term is (fn{n)-k{n)ym{n) _ §(^^^-^ffn{n)-k{n) ym{n) ^ required. 

The only exceptional case is if char{k) ^ and char{k) \ r, in which case deg{ipr{y)) < 
m{r) — 1, but as ipr{y) does not contribute to the leading term, this does not affect the 
result. 

Cases 3,. .. 8: re = 2, ... 7 (mod 8). Similar. □ 

Corollary 7.3. //4 fn, then deg{ipn{y)) = fn{n) where 

"V"^ if n is odd 



m{n) 



2 if n is even. 
If A\n and char{k) f re, deg{ipniy)) = rn{n) — 1. 
Otherwise deg{ipn{y)) < m{n) — 1. 

Proof: Immediate from Theorem 7.2 . □ 

The only case where the degree of the polynomial Vn is not known precisely is when 
4 • char{k) \ re. 

Lemma 7.4. If char (k) =0 or 4 • char{k) f re, then ipniy) has final term (term of least 
degree in y) 

' e(re)a'"(")-'=('^) i/n^O (mod 4) 

< 

^ g(^)^m(n)-fc(n)y ^ = (mod 4) 
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where 



n 
2 


ifn = 


(mod 8 


) 


n 
2 


ifn = 


4 (mod 8 


) 


1 


ifn = 


1,2, or 3 


(mod 


-1 


ifn = 


5, 6, or 7 


(mod 



e(n) = < 



and m[n), k{n) are as defined in Theorem 6.1. 

If char {k) ^ and 4 • char{k) \ n, then the term of least degree has degree greater than 1. 
Proof: Similar to proof of Theorem 7.2. □ 

Recall from Theorem 7.1 that ipn{y) = ''Pn{0'^d,y) € Z[a,(i, y]. If we write ipn in the 
form 

i^n{a, d, y) = am(„)y"*^"^ + "^{n)-!?/"*^"^"^ + ■ ■ ■ + aiy + uq 
where m(n) is as defined in Theorem 6.1 (so, in particular, if 4 | n, am(n) = Q^o = 0) and 
ai G Z[a, d], then we define 

d, y) := aoy"'^") + aiy""^"-^"^ + ■■■ + a^H-i?/ + "mH 

Lemma 7.5. Vn(fl) d, y), considered as a polynomial in a and d (with coefficients in Z[a, d\) 
is homogeneous of degree m{n) — k{n). 

Proof: Proof is by induction using Theorem 6.1. □ 

Theorem 7.6. Consider ^„(a,(i, y) G Z[a, d, y], as a polynomial in three variables. Then 
i^n{a,d,y) = i)l{-d,-a,y). 

Proof: We can restate this theorem as: If 

Tpn{a,d,y) = a^(„)(a,d)y"'(") + a„(„)_i(a, d)y™(")"^ H \- ai{a,d)y + ao{a,d) 

then 

Vi„(a, d, y) = ao{-d, -a)y'^^'^'> +ai{-d, -a)y"'(")"^H ham(n)-i(-rf, -a)y+am{n) {-d, -a). 

If E is as defined at the outset, 

E : ax"^ + y'^ = 1 + dx^y'^ 
and we let E' be the twisted Edwards curve 

E' : dx^ + y'^ = 1 + ax^y^ 
then the birational equivalence (x,y) i-^ fx, |j maps E to E' , and E' to E. 
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Now, 



where 

7(n) = 

and 



(2(1 - 

1 if n is even 
if n is odd 



(d-a)^W^;(y) 



(2(1 - 

where ip'n{x,y), tp'n{y) are the relevant functions defined on E'. 
Now, 

1 (d-a)'=(")V';(-) 



y (2(1 - 

(a - d)'=(")((-l)"'(")-''(")y™(")7^;(i)) 
~ (2(1 - y))Mn)x"/M 

and by theorem 7.2, (-l)"^(")-^Wy™(")^;(i) g Z[a,d,y]. 
By the birational equivalence, for any (x, y) £ E, 



i^n{x,y) = <^ ( X, - 

V y 







so 



^„(y) =0 4^ (_l)"^W-fcWym(n)^/ ^1) ^ g 

which gives 



V'n(y)=t(-i)'"(")-'(")y'"(")<(-) 

y 

for some t. By comparing leading terms using theorems 7.2 and 7.4, we get t = 1, i.e., 

v;„,(y) = (-i)-w-^(")y-wv;;(-). 

y 

Now, 

tpn{a,d,y) = a^(„)(a,(i)y'"(") + a„(„)_i(a, H h ai(a, d)y + ao(a, d) 

and 

^'n{a^d,y) = am(„)(d,a)y'"(") + a„,(„)_i((i, a)y'^(")"^ H h ai{d,a)y + ao(d,a). 
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Recall (lemma 7.5) that each of the Oi is homogeneous in a and d of degree m(n) — k{n), 
so 

(-l)'"("^-'("¥n,(a,d,y) = a„(„)(-d, -a)2/™W+a„(„)_i(-d, -a)y^(^^-'+- ■ ■+ai{-d, -a)y+a^{-d, -a) 
and 

(_l)„^(n)-fc{n)yMn)^;(i) = _a) + -a)y + ... 

Hence, V'n(a, (i, y) = -ipni-d, -a, y). □ 
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